from lib.cuckoo.common.abstracts import Signature


class ReadUserDataFolder(Signature):
    name = "read_user_data_folder"
    description = "Attempt to read user data folder information, possibly tampering."
    severity = 3
    categories = ["reg"]
    authors = ["xuhy"]
    minimum = "2.0"

    regkeys_re = [
        ".*\\\\(SOFTWARE|Software)\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\(Shell Folders|FoldersDescriptions)",
    ]

    def on_complete(self):
        for indicator in self.regkeys_re:
            for regkey in self.check_key(pattern=indicator, regex=True, actions=["regkey_read"], all=True):
                self.mark_ioc("registry", regkey)

        return self.has_marks()
